BRSKI-AE: Alternative Enrollment Protocols in BRSKI
draft-ietf-anima-brski-ae-13
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2024-12-23
|
13 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2024-10-02
|
13 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2024-09-27
|
13 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2024-09-27
|
13 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2024-09-23
|
13 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2024-09-19
|
13 | (System) | RFC Editor state changed to EDIT |
2024-09-19
|
13 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2024-09-19
|
13 | (System) | Announcement was received by RFC Editor |
2024-09-19
|
13 | (System) | IANA Action state changed to In Progress |
2024-09-19
|
13 | (System) | Removed all action holders (IESG state changed) |
2024-09-19
|
13 | Cindy Morgan | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2024-09-19
|
13 | Cindy Morgan | IESG has approved the document |
2024-09-19
|
13 | Cindy Morgan | Closed "Approve" ballot |
2024-09-19
|
13 | Cindy Morgan | Ballot approval text was generated |
2024-09-19
|
13 | Cindy Morgan | Ballot writeup was changed |
2024-09-19
|
13 | Mahesh Jethanandani | IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup |
2024-09-17
|
13 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-13.txt |
2024-09-17
|
13 | David von Oheimb | New version accepted (logged-in submitter: David von Oheimb) |
2024-09-17
|
13 | David von Oheimb | Uploaded new revision |
2024-09-05
|
12 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::AD Followup from IESG Evaluation |
2024-09-05
|
12 | Murray Kucherawy | [Ballot comment] Section 2 defines the following terms that don't appear elsewhere in the document: asynchronous communication, synchronous communication. |
2024-09-05
|
12 | Murray Kucherawy | [Ballot Position Update] New position, No Objection, has been recorded for Murray Kucherawy |
2024-09-04
|
12 | John Scudder | [Ballot comment] Thanks for this document. I have two minor comments/nits: - please alphabetize your terminology section. - in, “The following terms are described partly … [Ballot comment] Thanks for this document. I have two minor comments/nits: - please alphabetize your terminology section. - in, “The following terms are described partly in addition.” I don’t know what you mean by “partly“. Would the sentence be correct if you deleted that word? |
2024-09-04
|
12 | John Scudder | [Ballot Position Update] New position, No Objection, has been recorded for John Scudder |
2024-09-04
|
12 | Francesca Palombini | [Ballot Position Update] New position, No Objection, has been recorded for Francesca Palombini |
2024-09-03
|
12 | (System) | IANA Review state changed to IANA OK - Actions Needed from Version Changed - Review Needed |
2024-09-03
|
12 | Paul Wouters | [Ballot Position Update] New position, No Objection, has been recorded for Paul Wouters |
2024-09-03
|
12 | Roman Danyliw | [Ballot comment] Thank you to Meral Shirazipour for the GENART review. ** Section 4.2.1 As a more general solution, the BRSKI discovery mechanism can … [Ballot comment] Thank you to Meral Shirazipour for the GENART review. ** Section 4.2.1 As a more general solution, the BRSKI discovery mechanism can be extended to provide up-front information on the capabilities of registrars. Future work such as [I-D.eckert-anima-brski-discovery] may provide this. Does it make sense to reference and promise work on an individual, expired I-D? ** Section 7 notes that the Security Considerations of RFC8995 apply. What of the privacy consideration of RFC8895 (Section 10)? Do they apply or need any refinement (e.g., Section 10.2)? |
2024-09-03
|
12 | Roman Danyliw | [Ballot Position Update] New position, No Objection, has been recorded for Roman Danyliw |
2024-09-03
|
12 | Zaheduzzaman Sarker | [Ballot comment] Thanks for working on this specification. No comments/issues raised druing my review from transport portocol point of view. |
2024-09-03
|
12 | Zaheduzzaman Sarker | [Ballot Position Update] New position, No Objection, has been recorded for Zaheduzzaman Sarker |
2024-09-03
|
12 | Jim Guichard | [Ballot Position Update] New position, No Objection, has been recorded for Jim Guichard |
2024-09-03
|
12 | Deb Cooley | [Ballot comment] I'm leaving my old discuss text below, just because I can. The authors pointed me to RFC8995 section 5.6 and 11.4, which nicely … [Ballot comment] I'm leaving my old discuss text below, just because I can. The authors pointed me to RFC8995 section 5.6 and 11.4, which nicely explains how the chain between pledge, MASA, and registrar works to ensure that the registrar is the legit registrar. In the process, one of the authors suggested that the voucher process could be added to figure 2, which I'd be happy to see, if and only if it doesn't make the figure unweildy. Thanks to the authors for the quick response and for politely pointing me to the referenced RFCs. ---------------------------------------------------------------------- old DISCUSS: ---------------------------------------------------------------------- While this draft clearly outlines the requirements for proof of possession and integrity/authentication of the pledge, I did not see any discussion on integrity/authentication of the RA/CA. How can the pledge determine if it is requesting certificates (either its own or CA) from the proper RA/CA? One of the advantages of EST is that the pledge can verify the EST server certificate, and an on-path attack is harder when there is an adequate TLS session. Is that the case with CMP (or SCEP)? If so, either point me to where that is documented or add a couple of sentences on how that is done. If not, please add a section to the Security Considerations. |
2024-09-03
|
12 | Deb Cooley | [Ballot Position Update] Position for Deb Cooley has been changed to No Objection from Discuss |
2024-09-02
|
12 | Deb Cooley | [Ballot discuss] While this draft clearly outlines the requirements for proof of possession and integrity/authentication of the pledge, I did not see any discussion on … [Ballot discuss] While this draft clearly outlines the requirements for proof of possession and integrity/authentication of the pledge, I did not see any discussion on integrity/authentication of the RA/CA. How can the pledge determine if it is requesting certificates (either its own or CA) from the proper RA/CA? One of the advantages of EST is that the pledge can verify the EST server certificate, and an on-path attack is harder when there is an adequate TLS session. Is that the case with CMP (or SCEP)? If so, either point me to where that is documented or add a couple of sentences on how that is done. If not, please add a section to the Security Considerations. |
2024-09-02
|
12 | Deb Cooley | [Ballot Position Update] New position, Discuss, has been recorded for Deb Cooley |
2024-09-02
|
12 | Éric Vyncke | [Ballot comment] # Éric Vyncke, INT AD, comments for draft-ietf-anima-brski-ae-12 Thank you for the work put into this document (and the SVG figures). It is … [Ballot comment] # Éric Vyncke, INT AD, comments for draft-ietf-anima-brski-ae-12 Thank you for the work put into this document (and the SVG figures). It is sometimes hard to read with very long sentences. Please find below just one non-blocking NIT points. Special thanks to Toerless Eckert for the shepherd's detailed write-up including the WG consensus and the justification of the intended status. I hope that this review helps to improve the document, Regards, -éric # NITS (non-blocking / cosmetic) ## Section 1 As English is not my primary language, I find weird the use of "production" rather than "manufacturing" in `during its production`. |
2024-09-02
|
12 | Éric Vyncke | [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke |
2024-08-31
|
12 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
2024-08-29
|
12 | Gunter Van de Velde | [Ballot comment] # Gunter Van de Velde, RTG AD, comments for draft-ietf-anima-brski-ae-12 #GENERIC COMMENTS #================ ## The text contains many acronyms making it not easy … [Ballot comment] # Gunter Van de Velde, RTG AD, comments for draft-ietf-anima-brski-ae-12 #GENERIC COMMENTS #================ ## The text contains many acronyms making it not easy to digest when not familiar with ANIMA technology. (i am not that familiar with ANIMA) ## I provided a few rewrites of text to help the structure and simplify reading the content, while keeping the original message, and hope it helps improve document quality #DETAILED COMMENTS #================= ##classified as [minor] and [major] 11 Abstract 12 13 This document defines an enhancement of Bootstrapping Remote Secure 14 Key Infrastructure (BRSKI, RFC 8995). It supports alternative 15 certificate enrollment protocols, such as CMP, that use authenticated 16 self-contained signed objects for certification messages. [minor] Possibly we could make the abstract slightly higher level to describe the content of the draft. What about the following proposed alternative abstract: " This document defines enhancements to the Bootstrapping Remote Secure Key Infrastructure (BRSKI) protocol, known as BRSKI-AE (Alternative Enrollment). BRSKI-AE extends BRSKI to support alternative enrollment mechanisms beyond those originally specified, allowing for flexibility in network device onboarding scenarios. The enhancements address use cases where the existing BRSKI mechanisms may not be feasible or optimal, providing a framework for integrating other automated bootstrapping and enrollment techniques. This document also updates the BRSKI reference architecture to accommodate these alternative methods, ensuring secure and scalable deployment across a range of network environments. " 106 This approach provides the following advantages. The origin of 107 requests and responses can be authenticated independent of message 108 transfer. This supports end-to-end authentication (proof of origin) 109 also over multiple hops, as well as asynchronous operation of 110 certificate enrollment. This in turn provides architectural 111 flexibility where and when to ultimately authenticate and authorize 112 certification requests while retaining full-strength integrity and 113 authenticity of certification requests. [major] I am not sure what is the correlation between (proof of origin) and "end-to-end authentication". Why is the prrof of origin between brakets? [minor] I found this paragraph unfortunatly strucured. What about following proposal: " This approach offers several distinct advantages. It allows for the authentication of the origin of requests and responses independently of the message transfer mechanism. This capability facilitates end-to-end authentication (proof of origin) across multiple hops and supports the asynchronous operation of certificate enrollment. Consequently, this provides architectural flexibility in determining the location and timing for the ultimate authentication and authorization of certification requests, while ensuring the integrity and authenticity of those requests is maintained with full cryptographic strength. " 137 The goals of BRSKI-AE are to provide an enhancement of BRSKI for 138 LDevID certificate enrollment using, alternatively to EST, a protocol 139 that 140 141 * supports end-to-end authentication over multiple hops 142 143 * enables secure message exchange over any kind of transfer, 144 including asynchronous delivery. 145 146 Note that the BRSKI voucher exchange of the pledge with the registrar 147 and MASA uses authenticated self-contained objects, so the voucher 148 exchange already has these properties. 149 150 The well-known URI approach of BRSKI and EST messages is extended 151 with an additional path element indicating the enrollment protocol 152 being used. 153 154 Based on the definition of the overall approach and specific 155 endpoints, this specification enables the registrar to offer multiple 156 enrollment protocols, from which pledges and their developers can 157 then pick the most suitable one. 158 159 It may be noted that BRSKI (RFC 8995) specifies how to use HTTP over 160 TLS, but further variants are known, such as Constrained BRSKI 161 [I-D.ietf-anima-constrained-voucher] using CoAP over DTLS. In the 162 sequel, 'HTTP' and 'TLS' are just references to the most common case, 163 where variants such as using CoAP and/or DTLS are meant to be 164 subsumed - the differences are not relevant here. 165 166 This specification is sufficient together with its references to 167 support BRSKI with the Certificate Management Protocol (CMP, 168 [RFC9480]) profiled in the Lightweight CMP Profile (LCMPP, 169 [RFC9483]). Combining BRSKI with a protocol or profile other than 170 LCMPP will require additional IANA registrations based on the rules 171 specified in this document. It may also require additional 172 specifications for details of the protocol or profile (similar to 173 [RFC9483]), which are outside the scope of this document. [minor] A possible alternate rewrite to make the text easier to read: " The objectives of BRSKI-AE are to enhance BRSKI by enabling LDevID certificate enrollment through the use of an alternative protocol to EST, which: * Supports end-to-end authentication across multiple hops. * Facilitates secure message exchange over any type of transfer mechanism, including asynchronous delivery. It should be noted that the BRSKI voucher exchange between the pledge, registrar, and MASA involves the use of authenticated self-contained objects, which inherently possess these properties. The existing well-known URI structure used for BRSKI and EST messages is extended by introducing an additional path element that specifies the enrollment protocol being employed. This specification allows the registrar to offer multiple enrollment protocols, enabling pledges and their developers to select the most appropriate one based on the defined overall approach and specific endpoints. It is important to recognize that BRSKI (RFC 8995) specifies the use of HTTP over TLS, but variations such as Constrained BRSKI [I-D.ietf-anima-constrained-voucher], which uses CoAP over DTLS, are also recognized. In this context, 'HTTP' and 'TLS' are used as references to the most common implementation, though variants using CoAP and/or DTLS are implied where applicable, as the distinctions are not pertinent here. This specification, together with its referenced documents, is sufficient to support BRSKI with the Certificate Management Protocol (CMP, [RFC9480]) as profiled in the Lightweight CMP Profile (LCMPP, [RFC9483]). Integrating BRSKI with a protocol or profile other than LCMPP will necessitate additional IANA registrations, as detailed in this document. Furthermore, additional specifications may be required for the details of the protocol or profile, which fall outside the scope of this document. " 175 1.1. Supported Scenarios 176 177 BRSKI-AE is intended to be used in situations like the following. 178 179 * Pledges and/or the target domain reuse an already established 180 certificate enrollment protocol different from EST, such as CMP. 181 182 * The application scenario indirectly excludes the use of EST for 183 certificate enrollment, for reasons like these: 184 185 - The Registration Authority (RA) is not co-located with the 186 registrar while it requires end-to-end authentication of 187 requesters. Yet EST does not support end-to-end authentication 188 over multiple hops. 189 190 - The RA or certification authority (CA) operator requires 191 auditable proof of origin for Certificate Signing Requests 192 (CSRs). This is not possible with TLS because it provides only 193 transient source authentication. 184 195 - Certificates are requested for types of keys, such as Key 196 Encapsulation Mechanism (KEM) keys, that do not support signing 197 (nor alternative forms of single-shot proof of possession like 198 those described in [RFC6955]). This is not supported by EST 199 because it uses CSRs in PKCS #10 [RFC2986] format, which can 200 only use proof-of-possession methods that need just a single 201 message, while proof of possession for KEM keys, for instance, 202 requires receiving a fresh challenge value beforehand. 203 204 - The pledge implementation uses security libraries not providing 205 EST support or uses a TLS library that does not support 206 providing the so-called tls-unique value [RFC5929], which is 207 needed by EST for strong binding of the source authentication. 208 209 * No full RA functionality is available on-site in the target 210 domain, while connectivity to an off-site RA may be intermittent 211 or entirely offline. 212 213 * Authoritative actions of a local RA at the registrar is not 214 sufficient for fully and reliably authorizing pledge certification 215 requests. This may be due to missing data access or due to an 216 insufficient level of security, for instance regarding the local 217 storage of private keys. 217 219 Bootstrapping can be handled in various ways, depending on the 220 application domains. The informative Appendix A provides 221 illustrative examples from various industrial control system 222 environments and operational setups motivating the support of 223 alternative enrollment protocols. [minor] possible rewrite for readability " BRSKI-AE is designed for use in scenarios such as the following: * Pledges and/or the target domain leverage an existing certificate enrollment protocol other than EST, such as CMP. * The application context precludes the use of EST for certificate enrollment due to factors such as: - The Registration Authority (RA) is not co-located with the registrar and requires end-to-end authentication of requesters, which EST does not support over multiple hops. - The RA or Certification Authority (CA) operator mandates auditable proof of origin for Certificate Signing Requests (CSRs), which cannot be provided by TLS as it only offers transient source authentication. - Certificates are required for key types, such as Key Encapsulation Mechanism (KEM) keys, that do not support signing or other single-shot proof of possession methods, as described in [RFC6955]. EST, which relies on CSRs in PKCS #10 [RFC2986] format, does not accommodate these key types because it necessitates proof-of-possession methods that operate within a single message, whereas proof of possession for KEM keys requires prior receipt of a fresh challenge value. - The pledge implementation employs security libraries that do not support EST or uses a TLS library lacking support for the "tls-unique" value [RFC5929], which EST requires for the strong binding of source authentication. * Full RA functionality is not available on-site within the target domain, and connectivity to an off-site RA may be intermittent or entirely offline. * Authoritative actions by a local RA at the registrar are insufficient for fully and reliably authorizing pledge certification requests, potentially due to a lack of access to necessary data or inadequate security measures, such as the local storage of private keys. Bootstrapping may be managed in various ways depending on the application domain. Appendix A provides illustrative examples from different industrial control system environments and operational contexts that justify the support of alternative enrollment protocols. " 258 CSR: Certificate Signing Request [minor] other entries have a RFC associated as reference, but this one has not? Is that intentional? 847 BRSKI-AE provides generalizations to the addressing scheme defined in 848 BRSKI [RFC8995], Section 5 to accommodate alternative enrollment 849 protocols that use authenticated self-contained objects for 850 certification requests. In existing RAs/CAs supporting such an 851 enrollment protocol (see also Section 5), these generalizations can 852 be employed without modifications. [minor] This seems to read odd. What about the following alternative: " BRSKI-AE extends the addressing scheme outlined in [RFC8995], Section 5, to support alternative enrollment protocols that utilize authenticated, self-contained objects for certification requests. These extensions are designed to be compatible with existing Registration Authorities (RAs) and Certification Authorities (CAs) that already support such enrollment protocols, enabling their use without requiring any modifications. " 921 5.1. BRSKI-CMP: BRSKI-AE instantiated with CMP 922 923 Instead of referring to CMP as specified in [RFC4210] and [RFC9480], 924 this document refers to the Lightweight CMP Profile (LCMPP) [RFC9483] 925 because the subset of CMP defined there is sufficient for the 926 functionality needed here. 927 928 When using CMP, adherence to the LCMPP [RFC9483] is REQUIRED. In 929 particular, the following specific requirements apply (cf. 930 Figure 2). 931 932 * CA Certs Request (1) and Response (2): 933 Requesting CA certificates is OPTIONAL. 934 If supported, it SHALL be implemented as specified in [RFC9483], 935 Section 4.3.1. 936 937 * Attribute Request (3) and Response (4): 938 Requesting certification request attributes is OPTIONAL. 939 If supported, it SHALL be implemented as specified in [RFC9483], 940 Section 4.3.3. 941 942 Alternatively, the registrar MAY modify the contents of the 943 requested certificate contents as specified in [RFC9483], 944 Section 5.2.3.2. 945 946 * Certification Request (5) and Response (6): 947 Certificates SHALL be requested and provided as specified in the 948 LCMPP [RFC9483], Section 4.1.1 (based on CRMF) or [RFC9483], 949 Section 4.1.4 (based on PKCS #10). 950 951 Proof of possession SHALL be provided in a way suitable for the 952 key type. Proof of identity SHALL be provided by signature-based 953 protection of the certification request message as outlined in 954 [RFC9483], Section 3.2 using the IDevID secret. 955 956 When the registrar forwards a certification request by the pledge 957 to a backend RA/CA, the registrar is RECOMMENDED to wrap the 958 original certification request in a nested message signed with its 959 own credentials as described in [RFC9483], Section 5.2.2.1. This 960 explicitly conveys the consent by the registrar to the RA while 961 retaining the original certification request message with its 962 proof of origin provided by the pledge signature. 963 964 In case additional trust anchors (besides the pinned-domain-cert) 965 need to be conveyed to the pledge, this SHOULD be done in the 966 caPubs field of the certification response rather than in a CA 967 Certs Response. 968 969 * Certificate Confirm (7) and PKI/Registrar Confirm (8): 970 Explicit confirmation of new certificates to the RA/CA MAY be used 971 as specified in [RFC9483], Section 4.1.1. 972 973 Note that independently of the certificate confirmation within 974 CMP, enrollment status telemetry with the registrar at BRSKI level 975 will be performed as described in [RFC8995], Section 5.9.4. 976 977 * If delayed delivery of CMP messages is needed (for instance, to 978 support enrollment over an asynchronous channel), it SHALL be 979 performed as specified in Section 4.4 and Section 5.1.2 of 980 [RFC9483]. 981 982 How messages are exchanged between the registrar and backend PKI 983 components (i.e., RA and/or CA) is out of scope of this document. 984 Since CMP is independent of message transfer, the mechanism for this 985 exchange can be freely chosen according to the needs of the 986 application scenario. For the applicable security considerations, 987 see Section 7. Further guidance can be found in [RFC9483], 988 Section 6. 989 990 BRSKI-AE with CMP can also be combined with Constrained BRSKI 991 [I-D.ietf-anima-constrained-voucher], using CoAP for enrollment 992 message transport as described by CoAP Transport for CMP [RFC9482]. 993 In this scenario, the EST-specific parts of 994 [I-D.ietf-anima-constrained-voucher] do not apply. 995 996 For BRSKI-AE scenarios where a general solution (cf. Section 4.2.1) 997 for discovering registrars with CMP support is not available, the 998 following minimalist approach MAY be used. Perform discovery as 999 defined in BRSKI [RFC8995], Appendix B but using the service name 1000 "brski-registrar-cmp" (defined in Section 6) instead of "brski- 1001 registrar" (defined in [RFC8995], Section 8.6). Note that this 1002 approach does not support join proxies. [minor] proposed readability rewrite: " In this document, references to CMP follow the Lightweight CMP Profile (LCMPP) [RFC9483] rather than [RFC4210] and [RFC9480], as the subset of CMP defined in LCMPP sufficiently meets the required functionality. Adherence to the LCMPP [RFC9483] is REQUIRED when using CMP. The following specific requirements apply (refer to Figure 2): * CA Certificates Request (1) and Response (2): Requesting CA certificates is OPTIONAL. If supported, it SHALL be implemented as specified in [RFC9483], Section 4.3.1. * Attribute Request (3) and Response (4): Requesting certification request attributes is OPTIONAL. If supported, it SHALL be implemented as specified in [RFC9483], Section 4.3.3. Alternatively, the registrar MAY modify the requested certificate contents as specified in [RFC9483], Section 5.2.3.2. * Certification Request (5) and Response (6): Certificates SHALL be requested and provided as specified in LCMPP [RFC9483], Section 4.1.1 (based on CRMF) or Section 4.1.4 (based on PKCS #10). Proof of possession SHALL be provided in a manner suitable for the key type. Proof of identity SHALL be provided by signature-based protection of the certification request message as outlined in [RFC9483], Section 3.2, using the IDevID secret. When the registrar forwards a certification request from the pledge to a backend RA/CA, it is RECOMMENDED that the registrar wraps the original certification request in a nested message signed with its own credentials, as described in [RFC9483], Section 5.2.2.1. This approach explicitly conveys the registrar's consent to the RA while retaining the original certification request with the proof of origin provided by the pledge's signature. If additional trust anchors, beyond the pinned-domain-cert, need to be conveyed to the pledge, this SHOULD be done in the caPubs field of the certification response rather than through a CA Certificates Response. * Certificate Confirm (7) and PKI/Registrar Confirm (8): Explicit confirmation of new certificates to the RA/CA MAY be used as specified in [RFC9483], Section 4.1.1. Note that independent of certificate confirmation within CMP, enrollment status telemetry with the registrar at the BRSKI level will be performed as described in [RFC8995], Section 5.9.4. * If delayed delivery of CMP messages is required (e.g., to support enrollment over an asynchronous channel), it SHALL be performed as specified in Section 4.4 and Section 5.1.2 of [RFC9483]. The mechanisms for exchanging messages between the registrar and backend PKI components (i.e., RA and/or CA) are outside the scope of this document. CMP's independence from the message transfer mechanism allows for flexibility in choosing the appropriate exchange method based on the application scenario. For applicable security considerations, refer to Section 7. Further guidance can be found in [RFC9483], Section 6. BRSKI-AE with CMP can also be combined with Constrained BRSKI [I-D.ietf-anima-constrained-voucher], using CoAP for enrollment message transport as described by CoAP Transport for CMP [RFC9482]. In such scenarios, the EST-specific parts of [I-D.ietf-anima-constrained-voucher] do not apply. For BRSKI-AE scenarios where a general solution for discovering registrars with CMP support is not available (cf. Section 4.2.1), the following minimalist approach MAY be used: perform discovery as defined in BRSKI [RFC8995], Appendix B, but use the service name "brski-registrar-cmp" (as defined in Section 6) instead of "brski-registrar" (as defined in [RFC8995], Section 8.6). Note that this approach does not support join proxies. " |
2024-08-29
|
12 | Gunter Van de Velde | [Ballot Position Update] New position, No Objection, has been recorded for Gunter Van de Velde |
2024-08-27
|
12 | Cindy Morgan | Placed on agenda for telechat - 2024-09-05 |
2024-08-27
|
12 | Mahesh Jethanandani | Ballot has been issued |
2024-08-27
|
12 | Mahesh Jethanandani | [Ballot Position Update] New position, Yes, has been recorded for Mahesh Jethanandani |
2024-08-27
|
12 | Mahesh Jethanandani | Created "Approve" ballot |
2024-08-27
|
12 | Mahesh Jethanandani | IESG state changed to IESG Evaluation from Waiting for AD Go-Ahead |
2024-07-15
|
12 | Carlos Pignataro | Closed request for Last Call review by OPSDIR with state 'Team Will not Review Document' |
2024-07-15
|
12 | Carlos Pignataro | Assignment of request for Last Call review by OPSDIR to Dan Romascanu was withdrawn |
2024-07-13
|
12 | Carlos Pignataro | Request for Last Call review by OPSDIR is assigned to Dan Romascanu |
2024-07-05
|
12 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2024-07-05
|
12 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-12.txt |
2024-07-05
|
12 | (System) | New version approved |
2024-07-05
|
12 | (System) | Request for posting confirmation emailed to previous authors: David von Oheimb , Hendrik Brockhaus , Steffen Fries |
2024-07-05
|
12 | David von Oheimb | Uploaded new revision |
2024-06-19
|
11 | (System) | IESG state changed to Waiting for AD Go-Ahead from In Last Call |
2024-06-18
|
11 | Meral Shirazipour | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Meral Shirazipour. Sent review to list. Submission of review completed at an earlier … Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Meral Shirazipour. Sent review to list. Submission of review completed at an earlier date. |
2024-06-18
|
11 | Meral Shirazipour | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Meral Shirazipour. |
2024-06-18
|
11 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed |
2024-06-18
|
11 | David Dong | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-ietf-anima-brski-ae-11. If any part of this review is inaccurate, please let us know. IANA … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-ietf-anima-brski-ae-11. If any part of this review is inaccurate, please let us know. IANA understands that, upon approval of this document, there is a single action which we must complete. First, in the Service Name and Transport Protocol Port Number Registry located at: https://www.iana.org/assignments/service-names-port-numbers/ a single new service name is to be assigned as follows: Service Name: brski-registrar-cmp Transport Protocol: tcp Description: Bootstrapping Remote Secure Key Infrastructure registrar with CMP capabilities according to the Lightweight CMP Profile (LCMPP, [RFC9483]) Assignee: IESG Contact: IETF Chair Reference: [ RFC-to-be ] NOTE: This document lists the IESG as the contact for the registration, but according to RFC 6335 this should be the IETF Chair . This should be updated in the document. NOTE: The action requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the action that will be performed. For definitions of IANA review states, please see: https://datatracker.ietf.org/help/state/draft/iana-review Thank you, David Dong IANA Services Sr. Specialist |
2024-06-10
|
11 | Carlos Pignataro | Request for Last Call review by OPSDIR is assigned to Carlos Martínez |
2024-06-06
|
11 | Jean Mahoney | Request for Last Call review by GENART is assigned to Meral Shirazipour |
2024-06-05
|
11 | Jenny Bui | IANA Review state changed to IANA - Review Needed |
2024-06-05
|
11 | Jenny Bui | The following Last Call announcement was sent out (ends 2024-06-19): From: The IESG To: IETF-Announce CC: anima-chairs@ietf.org, anima@ietf.org, draft-ietf-anima-brski-ae@ietf.org, mjethanandani@gmail.com, tte@cs.fau.de … The following Last Call announcement was sent out (ends 2024-06-19): From: The IESG To: IETF-Announce CC: anima-chairs@ietf.org, anima@ietf.org, draft-ietf-anima-brski-ae@ietf.org, mjethanandani@gmail.com, tte@cs.fau.de Reply-To: last-call@ietf.org Sender: Subject: Last Call: (BRSKI-AE: Alternative Enrollment Protocols in BRSKI) to Proposed Standard The IESG has received a request from the Autonomic Networking Integrated Model and Approach WG (anima) to consider the following document: - 'BRSKI-AE: Alternative Enrollment Protocols in BRSKI' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@ietf.org mailing lists by 2024-06-19. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document defines an enhancement of Bootstrapping Remote Secure Key Infrastructure (BRSKI, RFC 8995). It supports alternative certificate enrollment protocols, such as CMP, that use authenticated self-contained signed objects for certification messages. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-anima-brski-ae/. Source for this draft and an issue tracker can be found at https://github.com/anima-wg/anima-brski-ae. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-anima-brski-ae/ No IPR declarations have been submitted directly on this I-D. |
2024-06-05
|
11 | Jenny Bui | IESG state changed to In Last Call from Last Call Requested |
2024-06-05
|
11 | Jenny Bui | Last call announcement was generated |
2024-06-05
|
11 | Jenny Bui | Last call announcement was generated |
2024-06-05
|
11 | Mahesh Jethanandani | Last call was requested |
2024-06-05
|
11 | Mahesh Jethanandani | Last call announcement was generated |
2024-06-05
|
11 | Mahesh Jethanandani | Ballot approval text was generated |
2024-06-05
|
11 | Mahesh Jethanandani | Ballot writeup was generated |
2024-06-05
|
11 | Mahesh Jethanandani | IESG state changed to Last Call Requested from AD Evaluation |
2024-06-03
|
11 | Steffen Fries | New version available: draft-ietf-anima-brski-ae-11.txt |
2024-06-03
|
11 | (System) | New version approved |
2024-06-03
|
11 | (System) | Request for posting confirmation emailed to previous authors: David von Oheimb , Hendrik Brockhaus , Steffen Fries |
2024-06-03
|
11 | Steffen Fries | Uploaded new revision |
2024-05-01
|
10 | Mahesh Jethanandani | The AD review can be found here - https://mailarchive.ietf.org/arch/msg/anima/FcEMfqlvGll-FUOmfkIKdNjBe2I/ |
2024-05-01
|
10 | (System) | Changed action holders to Mahesh Jethanandani (IESG state changed) |
2024-05-01
|
10 | Mahesh Jethanandani | IESG state changed to AD Evaluation from Publication Requested |
2024-03-20
|
10 | Liz Flynn | Shepherding AD changed to Mahesh Jethanandani |
2024-03-01
|
10 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-10.txt |
2024-03-01
|
10 | David von Oheimb | New version accepted (logged-in submitter: David von Oheimb) |
2024-03-01
|
10 | David von Oheimb | Uploaded new revision |
2023-12-21
|
09 | Toerless Eckert | # Document Shepherd Write-Up for Group Documents *This version is dated 4 July 2022.* ## Document History 1. Does the working group (WG) consensus represent … # Document Shepherd Write-Up for Group Documents *This version is dated 4 July 2022.* ## Document History 1. Does the working group (WG) consensus represent the strong concurrence of a few individuals, with others being silent, or did it reach broad agreement? This document has good good consensus by all active WG members involved in BRSKI. There where no dissenting opinions raised. 2. Was there controversy about particular points, or were there decisions where the consensus was particularly rough? This document did evolve significantly and beneficially over the course of its life in the WG through the input and work by WG members. See list of acknowledgements in the document. The Shepherd does not think that any consensus on issues was ever rough though. Mayor changes involved renaming/refocussing from "async" enrolment (which is still a key, but not the only target benefit) over to "alternative" enrolments with signed standalone message seucrity or when revisiting the part of the discovery mechanism to remove more advanced mechanisms into a future document as they may take longer to finish. All changes where resolved without without disagreements in the WG. The document issues raised and resolved can be seen in the github: https://github.com/anima-wg/anima-brski-ae/issues 3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. 4. For protocol documents, are there existing implementations of the contents of the document? Have a significant number of potential implementers indicated plans to implement? Are any existing implementations reported somewhere, either in the document itself (as [RFC 7942][3] recommends) or elsewhere (where)? From David.von.Oheimb@siemens.com: Siemens has non-public implementations for the CMP instance of BRSKI-AE, for both the pledge and registrar side, in C and Java. These have been used as a PoC and for interop testing. ## Additional Reviews 5. Do the contents of this document closely interact with technologies in other IETF working groups or external organizations, and would it therefore benefit from their review? Have those reviews occurred? If yes, describe which reviews took place. This work closely depends on the work by the same co-authors in LAMPS, RFC9483. Coordination with that WG was through the co-authors. Aka: this draft is to a good extend an application of RFC9483 and RFC9483 was shaped by the needs of BRSKI-AE as a subset of CMP. 6. Describe how the document meets any required formal expert review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. This document does not contain any formal languages anymore after one reorg of document content in the ANIMA WG which moved all YANG into draft-ietf-anima-rfc8366bis (because YAND didn't allow us to partition ourmodel across multiple BRSKI extension documents including BRSKI-AE). The YANGDOCTORS early review for BRSKI-AE (red) was therefore updated by a last call review to ensure it is clear that the red early review is not applicable anymore. The document does not include any other formal definitions requiring review other than one IANA request for a service name. 7. If the document contains a YANG module, has the final version of the module been checked with any of the [recommended validation tools][4] for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in [RFC 8342][5]? NA. (see above). 8. Describe reviews and automated checks performed to validate sections of the final version of the document written in a formal language, such as XML code, BNF rules, MIB definitions, CBOR's CDDL, etc. NA. (see above). ## Document Shepherd Checks 9. Based on the shepherd's review of the document, is it their opinion that this document is needed, clearly written, complete, correctly designed, and ready to be handed off to the responsible Area Director? The Shepherd did his final WGLC review against rev -08, see: https://mailarchive.ietf.org/arch/msg/anima/QyEq3iB_GsYHO84b1bXpXLADCqg -09 does resolve all remaining issue of that review and all other issues WGLC raised against the document by WG members had also been closed on before. The Shepherd thinks this work is needed for the use cases it addresses, clearly written, complete, corectly designed and ready to be handed off to the responsible AD. 10. Several IETF Areas have assembled [lists of common issues that their reviewers encounter][6]. For which areas have such issues been identified and addressed? For which does this still need to happen in subsequent reviews? The Shepherd has looked through [6], and think that all the typical aspects mentioned that are touched by this document, especially the security aspects are well reviewed, as also shown by SECIDR Last Call review. 11. What type of RFC publication is being requested on the IETF stream ([Best Current Practice][12], [Proposed Standard, Internet Standard][13], [Informational, Experimental or Historic][14])? Why is this the proper type of RFC? Do all Datatracker state attributes correctly reflect this intent? Requested RFC publication type: Proposed Standard. This is correctly reflected by Datatracker. This document defines the protocol extension of BRSKI (RFC8995) to support the CMP by using it's lightweight profile defined in RFC9483. This spec therefore describes mechanim requiring interoperability between a number of parties (pledge, registrar, possibly further transport entities and RA/CA). 12. Have reasonable efforts been made to remind all authors of the intellectual property rights (IPR) disclosure obligations described in [BCP 79][7]? To the best of your knowledge, have all required disclosures been filed? If not, explain why. If yes, summarize any relevant discussion, including links to publicly-available messages when applicable. Yes. An IPR call was made to the WG mailing list during WGLC. All authors confirmed that they are not aware of any IPR for which disclosures have not yet been filed. Note: no disclosures have been filed according to Datatracker. 14. Has each author, editor, and contributor shown their willingness to be listed as such? If the total number of authors and editors on the front page is greater than five, please provide a justification. Yes, each author/editor confirmed willingness to be named as such. Total number of authors is 3. The shepherd thinks that the sole listed contributor 'Eliot Lear' is fine to be listed as such from prior communications, but has sent a reconfirming query to Eliot during this Shepherd writeup. If the reply should be negative, the Shepherd will make sure his mentioning is fixed in the next revision of the document. 14. Document any remaining I-D nits in this document. Simply running the [idnits tool][8] is not enough; please review the ["Content Guidelines" on authors.ietf.org][15]. (Also note that the current idnits tool generates some incorrect warnings; a rewrite is underway.) After re-running IDNITS one oversight was found. The document should put a reference against [RFC8366] after the first mentioning of the word Voucher. This has been opened as an issue on github and will be fixed on the next revision of the document. All the formal requirements from the Content Guidelines are met in the understanding of the Shepherd. 15. Should any informative references be normative or vice-versa? See the [IESG Statement on Normative and Informative References][16]. The Shepherd is not sure if 802.1AE does necessarily have to be listed as normative (instead of informative) given how it is primarily used as a reference for terminology which has been used in prior IETF PKI related security RFCs without similar degree of due diligence of origin referencing. However, the decision to make it normative was not challenged by SECDIR Last Call review and the document is also freely available from IEEE, so the Shepherd has no concerns with the choice. All other normative and informative reference do well match the way they are referenced by the document. 16. List any normative references that are not freely available to anyone. Did the community have sufficient access to review any such normative references? NA. 17. Are there any normative downward references (see [RFC 3967][9] and [BCP 97][10]) that are not already listed in the [DOWNREF registry][17]? If so, list them. No. 18. Are there normative references to documents that are not ready to be submitted to the IESG for publication or are otherwise in an unclear state? If so, what is the plan for their completion? No. 19. Will publication of this document change the status of any existing RFCs? If so, does the Datatracker metadata correctly reflect this and are those RFCs listed on the title page, in the abstract, and discussed in the introduction? If not, explain why and point to the part of the document where the relationship of this document to these other RFCs is discussed. No. 20. Describe the document shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all aspects of the document requiring IANA assignments are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that each newly created IANA registry specifies its initial contents, allocations procedures, and a reasonable name (see [RFC 8126][11]). In the understanding of the Shepherd, the IANA section is complete and consistent with the content of the document. There is only the registration of one new service-name for BRSKI Registrars with CMP support. 21. List any new IANA registries that require Designated Expert Review for future allocations. Are the instructions to the Designated Expert clear? Please include suggestions of designated experts, if appropriate. NA. [1]: https://www.ietf.org/about/groups/iesg/ [2]: https://www.rfc-editor.org/rfc/rfc4858.html [3]: https://www.rfc-editor.org/rfc/rfc7942.html [4]: https://wiki.ietf.org/group/ops/yang-review-tools [5]: https://www.rfc-editor.org/rfc/rfc8342.html [6]: https://wiki.ietf.org/group/iesg/ExpertTopics [7]: https://www.rfc-editor.org/info/bcp79 [8]: https://www.ietf.org/tools/idnits/ [9]: https://www.rfc-editor.org/rfc/rfc3967.html [10]: https://www.rfc-editor.org/info/bcp97 [11]: https://www.rfc-editor.org/rfc/rfc8126.html [12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5 [13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1 [14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2 [15]: https://authors.ietf.org/en/content-guidelines-overview [16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/ [17]: https://datatracker.ietf.org/doc/downref/ |
2023-12-21
|
09 | Toerless Eckert | Responsible AD changed to Robert Wilton |
2023-12-21
|
09 | Toerless Eckert | IETF WG state changed to Submitted to IESG for Publication from In WG Last Call |
2023-12-21
|
09 | Toerless Eckert | IESG state changed to Publication Requested from I-D Exists |
2023-12-21
|
09 | Toerless Eckert | Document is now in IESG state Publication Requested |
2023-12-21
|
09 | Toerless Eckert | Fixing tags (RFC9483 now published) |
2023-12-21
|
09 | Toerless Eckert | Fixing tags (RFC9483 now published) |
2023-12-21
|
09 | Toerless Eckert | Tag Waiting for Referenced Document cleared. |
2023-12-21
|
09 | Toerless Eckert | # Document Shepherd Write-Up for Group Documents *This version is dated 4 July 2022.* ## Document History 1. Does the working group (WG) consensus represent … # Document Shepherd Write-Up for Group Documents *This version is dated 4 July 2022.* ## Document History 1. Does the working group (WG) consensus represent the strong concurrence of a few individuals, with others being silent, or did it reach broad agreement? This document has good good consensus by all active WG members involved in BRSKI. There where no dissenting opinions raised. 2. Was there controversy about particular points, or were there decisions where the consensus was particularly rough? This document did evolve significantly and beneficially over the course of its life in the WG through the input and work by WG members. See list of acknowledgements in the document. The Shepherd does not think that any consensus on issues was ever rough though. Mayor changes involved renaming/refocussing from "async" enrolment (which is still a key, but not the only target benefit) over to "alternative" enrolments with signed standalone message seucrity or when revisiting the part of the discovery mechanism to remove more advanced mechanisms into a future document as they may take longer to finish. All changes where resolved without without disagreements in the WG. The document issues raised and resolved can be seen in the github: https://github.com/anima-wg/anima-brski-ae/issues 3. Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. 4. For protocol documents, are there existing implementations of the contents of the document? Have a significant number of potential implementers indicated plans to implement? Are any existing implementations reported somewhere, either in the document itself (as [RFC 7942][3] recommends) or elsewhere (where)? From David.von.Oheimb@siemens.com: Siemens has non-public implementations for the CMP instance of BRSKI-AE, for both the pledge and registrar side, in C and Java. These have been used as a PoC and for interop testing. ## Additional Reviews 5. Do the contents of this document closely interact with technologies in other IETF working groups or external organizations, and would it therefore benefit from their review? Have those reviews occurred? If yes, describe which reviews took place. This work closely depends on the work by the same co-authors in LAMPS, RFC9483. Coordination with that WG was through the co-authors. Aka: this draft is to a good extend an application of RFC9483 and RFC9483 was shaped by the needs of BRSKI-AE as a subset of CMP. 6. Describe how the document meets any required formal expert review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. This document does not contain any formal languages anymore after one reorg of document content in the ANIMA WG which moved all YANG into draft-ietf-anima-rfc8366bis (because YAND didn't allow us to partition ourmodel across multiple BRSKI extension documents including BRSKI-AE). The YANGDOCTORS early review for BRSKI-AE (red) was therefore updated by a last call review to ensure it is clear that the red early review is not applicable anymore. The document does not include any other formal definitions requiring review other than one IANA request for a service name. 7. If the document contains a YANG module, has the final version of the module been checked with any of the [recommended validation tools][4] for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in [RFC 8342][5]? NA. (see above). 8. Describe reviews and automated checks performed to validate sections of the final version of the document written in a formal language, such as XML code, BNF rules, MIB definitions, CBOR's CDDL, etc. NA. (see above). ## Document Shepherd Checks 9. Based on the shepherd's review of the document, is it their opinion that this document is needed, clearly written, complete, correctly designed, and ready to be handed off to the responsible Area Director? The Shepherd did his final WGLC review against rev -08, see: https://mailarchive.ietf.org/arch/msg/anima/QyEq3iB_GsYHO84b1bXpXLADCqg -09 does resolve all remaining issue of that review and all other issues WGLC raised against the document by WG members had also been closed on before. The Shepherd thinks this work is needed for the use cases it addresses, clearly written, complete, corectly designed and ready to be handed off to the responsible AD. 10. Several IETF Areas have assembled [lists of common issues that their reviewers encounter][6]. For which areas have such issues been identified and addressed? For which does this still need to happen in subsequent reviews? The Shepherd has looked through [6], and think that all the typical aspects mentioned that are touched by this document, especially the security aspects are well reviewed, as also shown by SECIDR Last Call review. 11. What type of RFC publication is being requested on the IETF stream ([Best Current Practice][12], [Proposed Standard, Internet Standard][13], [Informational, Experimental or Historic][14])? Why is this the proper type of RFC? Do all Datatracker state attributes correctly reflect this intent? Requested RFC publication type: Proposed Standard. This is correctly reflected by Datatracker. This document defines the protocol extension of BRSKI (RFC8995) to support the CMP by using it's lightweight profile defined in RFC9483. This spec therefore describes mechanim requiring interoperability between a number of parties (pledge, registrar, possibly further transport entities and RA/CA). 12. Have reasonable efforts been made to remind all authors of the intellectual property rights (IPR) disclosure obligations described in [BCP 79][7]? To the best of your knowledge, have all required disclosures been filed? If not, explain why. If yes, summarize any relevant discussion, including links to publicly-available messages when applicable. Yes. An IPR call was made to the WG mailing list during WGLC. All authors confirmed that they are not aware of any IPR for which disclosures have not yet been filed. Note: no disclosures have been filed according to Datatracker. 14. Has each author, editor, and contributor shown their willingness to be listed as such? If the total number of authors and editors on the front page is greater than five, please provide a justification. Yes, each author/editor confirmed willingness to be named as such. Total number of authors is 3. The shepherd thinks that the sole listed contributor 'Eliot Lear' is fine to be listed as such from prior communications, but has sent a reconfirming query to Eliot during this Shepherd writeup. If the reply should be negative, the Shepherd will make sure his mentioning is fixed in the next revision of the document. 14. Document any remaining I-D nits in this document. Simply running the [idnits tool][8] is not enough; please review the ["Content Guidelines" on authors.ietf.org][15]. (Also note that the current idnits tool generates some incorrect warnings; a rewrite is underway.) After re-running IDNITS one oversight was found. The document should put a reference against [RFC8366] after the first mentioning of the word Voucher. This has been opened as an issue on github and will be fixed on the next revision of the document. All the formal requirements from the Content Guidelines are met in the understanding of the Shepherd. 15. Should any informative references be normative or vice-versa? See the [IESG Statement on Normative and Informative References][16]. The Shepherd is not sure if 802.1AE does necessarily have to be listed as normative (instead of informative) given how it is primarily used as a reference for terminology which has been used in prior IETF PKI related security RFCs without similar degree of due diligence of origin referencing. However, the decision to make it normative was not challenged by SECDIR Last Call review and the document is also freely available from IEEE, so the Shepherd has no concerns with the choice. All other normative and informative reference do well match the way they are referenced by the document. 16. List any normative references that are not freely available to anyone. Did the community have sufficient access to review any such normative references? NA. 17. Are there any normative downward references (see [RFC 3967][9] and [BCP 97][10]) that are not already listed in the [DOWNREF registry][17]? If so, list them. No. 18. Are there normative references to documents that are not ready to be submitted to the IESG for publication or are otherwise in an unclear state? If so, what is the plan for their completion? No. 19. Will publication of this document change the status of any existing RFCs? If so, does the Datatracker metadata correctly reflect this and are those RFCs listed on the title page, in the abstract, and discussed in the introduction? If not, explain why and point to the part of the document where the relationship of this document to these other RFCs is discussed. No. 20. Describe the document shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all aspects of the document requiring IANA assignments are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that each newly created IANA registry specifies its initial contents, allocations procedures, and a reasonable name (see [RFC 8126][11]). In the understanding of the Shepherd, the IANA section is complete and consistent with the content of the document. There is only the registration of one new service-name for BRSKI Registrars with CMP support. 21. List any new IANA registries that require Designated Expert Review for future allocations. Are the instructions to the Designated Expert clear? Please include suggestions of designated experts, if appropriate. NA. [1]: https://www.ietf.org/about/groups/iesg/ [2]: https://www.rfc-editor.org/rfc/rfc4858.html [3]: https://www.rfc-editor.org/rfc/rfc7942.html [4]: https://wiki.ietf.org/group/ops/yang-review-tools [5]: https://www.rfc-editor.org/rfc/rfc8342.html [6]: https://wiki.ietf.org/group/iesg/ExpertTopics [7]: https://www.rfc-editor.org/info/bcp79 [8]: https://www.ietf.org/tools/idnits/ [9]: https://www.rfc-editor.org/rfc/rfc3967.html [10]: https://www.rfc-editor.org/info/bcp97 [11]: https://www.rfc-editor.org/rfc/rfc8126.html [12]: https://www.rfc-editor.org/rfc/rfc2026.html#section-5 [13]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.1 [14]: https://www.rfc-editor.org/rfc/rfc2026.html#section-4.2 [15]: https://authors.ietf.org/en/content-guidelines-overview [16]: https://www.ietf.org/about/groups/iesg/statements/normative-informative-references/ [17]: https://datatracker.ietf.org/doc/downref/ |
2023-12-21
|
09 | Toerless Eckert | Changed consensus to Yes from Unknown |
2023-12-21
|
09 | Toerless Eckert | Fixing up Datatracker attribute while doing Shepherd review. |
2023-12-21
|
09 | Toerless Eckert | Intended Status changed to Proposed Standard from None |
2023-12-19
|
09 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-09.txt |
2023-12-19
|
09 | David von Oheimb | New version accepted (logged-in submitter: David von Oheimb) |
2023-12-19
|
09 | David von Oheimb | Uploaded new revision |
2023-12-11
|
08 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-08.txt |
2023-12-11
|
08 | David von Oheimb | New version accepted (logged-in submitter: David von Oheimb) |
2023-12-11
|
08 | David von Oheimb | Uploaded new revision |
2023-11-17
|
07 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-07.txt |
2023-11-17
|
07 | David von Oheimb | New version accepted (logged-in submitter: David von Oheimb) |
2023-11-17
|
07 | David von Oheimb | Uploaded new revision |
2023-11-04
|
06 | Barry Leiba | Request for Last Call review by SECDIR Completed: Ready. Reviewer: Barry Leiba. Sent review to list. |
2023-10-20
|
06 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-06.txt |
2023-10-20
|
06 | David von Oheimb | New version accepted (logged-in submitter: David von Oheimb) |
2023-10-20
|
06 | David von Oheimb | Uploaded new revision |
2023-08-31
|
05 | Reshad Rahman | Request for Last Call review by YANGDOCTORS Completed: Ready. Reviewer: Reshad Rahman. Sent review to list. |
2023-08-31
|
05 | Mehmet Ersue | Request for Last Call review by YANGDOCTORS is assigned to Reshad Rahman |
2023-08-10
|
05 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Barry Leiba |
2023-08-10
|
05 | Tero Kivinen | Closed request for Last Call review by SECDIR with state 'Overtaken by Events' |
2023-08-07
|
05 | Toerless Eckert | Requested Last Call review by YANGDOCTORS |
2023-08-07
|
05 | Toerless Eckert | Requested Last Call review by SECDIR |
2023-08-07
|
05 | Toerless Eckert | Requested Last Call review by SECDIR |
2023-08-01
|
05 | Toerless Eckert | This document was put into WG last call, but state change in datatracker was missed. It did pass all WG last call comments except discovery … This document was put into WG last call, but state change in datatracker was missed. It did pass all WG last call comments except discovery issues, which are being worked on now (07/2023) |
2023-08-01
|
05 | Toerless Eckert | Tag Waiting for Referenced Document set. |
2023-08-01
|
05 | Toerless Eckert | IETF WG state changed to In WG Last Call from WG Document |
2023-06-28
|
05 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-05.txt |
2023-06-28
|
05 | David von Oheimb | New version accepted (logged-in submitter: David von Oheimb) |
2023-06-28
|
05 | David von Oheimb | Uploaded new revision |
2023-03-13
|
04 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-04.txt |
2023-03-13
|
04 | David von Oheimb | New version accepted (logged-in submitter: David von Oheimb) |
2023-03-13
|
04 | David von Oheimb | Uploaded new revision |
2023-01-17
|
03 | Toerless Eckert | Notification list changed to tte@cs.fau.de because the document shepherd was set |
2023-01-17
|
03 | Toerless Eckert | Document shepherd changed to Toerless Eckert |
2023-01-10
|
03 | Barry Leiba | Request for Early review by SECDIR Completed: Has Issues. Reviewer: Barry Leiba. Sent review to list. |
2022-11-24
|
03 | Tero Kivinen | Request for Early review by SECDIR is assigned to Barry Leiba |
2022-11-24
|
03 | Tero Kivinen | Request for Early review by SECDIR is assigned to Barry Leiba |
2022-11-22
|
03 | Toerless Eckert | Requested Early review by SECDIR |
2022-10-24
|
03 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-03.txt |
2022-10-24
|
03 | (System) | New version approved |
2022-10-24
|
03 | (System) | Request for posting confirmation emailed to previous authors: David von Oheimb , Eliot Lear , Hendrik Brockhaus , Steffen Fries , anima-chairs@ietf.org |
2022-10-24
|
03 | David von Oheimb | Uploaded new revision |
2022-06-03
|
02 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-02.txt |
2022-06-03
|
02 | (System) | New version approved |
2022-06-03
|
02 | (System) | Request for posting confirmation emailed to previous authors: David von Oheimb , Eliot Lear , Hendrik Brockhaus , Steffen Fries |
2022-06-03
|
02 | David von Oheimb | Uploaded new revision |
2022-04-06
|
01 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-01.txt |
2022-04-06
|
01 | (System) | New version accepted (logged-in submitter: David von Oheimb) |
2022-04-06
|
01 | David von Oheimb | Uploaded new revision |
2022-04-06
|
00 | Tina Dang | This document now replaces draft-ietf-anima-brski-async-enroll instead of None |
2022-04-06
|
00 | David von Oheimb | New version available: draft-ietf-anima-brski-ae-00.txt |
2022-04-06
|
00 | (System) | Posted submission manually |
2022-04-06
|
00 | David von Oheimb | Uploaded new revision |